Side-channel-free quantum key distribution 
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Quantum key distribution (QKD) offers the promise of absolutely secure communications. How- 
ever, proofs of absolute security often assume perfect implementation from theory to experiment. 
Thus, existing systems may be prone to insidious side-channel attacks that rely on flaws in experi- 
mental implementation. Here we replace all real channels with virtual channels in a QKD protocol, 
making the relevant detectors and settings inside private spaces inaccessible while simultaneously 
acting as a Hilbert space filter to eliminate side-channel attacks. By using a quantum memory 
we find that we are able to bound the secret-key rate below by the entanglement-distillation rate 
computed over the distributed states. 

PACS numbers: 03.65.Ud,03.67.Dd,42.50.-p 



In 1982 Richard Feynman conjectured the use of quan- 
tum systems as a technological platform for solving diffi- 
cult calculations in physics. Eventually this insight lead 
to the field of quantum information processing. As part 
of the field's growth, it has partly diverged into the two 
main application domains: computation and communi- 
cations, though much fundamental and technical overlap 
still exists. Interestingly, the key application that has 
started to mature and is now commercially available is 
quantum cryptography, or more precisely quantum key 
distribution (QKD) which has quickly moved from the 
purely theoretical [l|-IH to a practical technology 0-0] . 

How can we explain the impressive industrial uptake 
of quantum cryptography and its ultimate aim to take 
over classical systems? The answer lies in the claim of 
"absolute security" 10]. Unfortunately, while the idea 
is very compelling, subtle details in implementation may 
introduce flaws that could, potentially, be open to attack. 
Specifically, attacks from so called "side channels" rep- 
resent one of the most elusive threats in practical quan- 
tum cryptography, because a system could be vulnerable 
to side-channel attacks even if it is unbreakable in the- 
12j |. In fact, the recent approach of "device- 
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independent QKD" 13[ makes important advances in 
handling imperfect implementations, and can even be 
made by untrusted parties, but does not directly address 
all possible side-channel attacks, where, for example, de- 
tectors may directly receive external probing aimed at 
seeding or gleaning their readout. 

In principle side-channel attacks affect both classical 
and quantum cryptography, but could be especially dev- 
astating for quantum cryptography, precisely because 
of the proclaimed absolute security "guarantee". The 
threat from such attacks has been demonstrated in both 
lab and installed field settings [12J. Thus, while practi- 
cal QKD systems have been fighting a trade-off between 
distance and key generation rate, they are still facing the 
fundamental problem of guaranteed security, choosing to 
rely on theoretical promises of absolute security without 
having any way of authenticating them in practice. 



FIG. 1: Private space to private space. The UTP acts as a 
correlator. 



Private spaces: general model 

Let us consider the scenario of Fig. [TJ Two authenti- 
cated parties, Alice and Bob, control two private spaces, 
A and B, respectively. Conventionally, these spaces are 
assumed completely inaccessible from the outside, i.e., 
no illegitimate system may enter A or B. For this reason 
every kind of side-channel attack upon the private spaces 
is assumed excluded. In practice, however, any port can 
allow a side-channel to enter possibly probing any de- 
tector, state-generation or detector settings. To prevent 
or overcome such attacks, the QKD system must effec- 
tively isolate its private spaces: the private space must 
not be directly involved in either state preparation (for 
sending) or detection (of incoming states). To overcome 
such probing side-channel attacks, we propose perform- 
ing state-generation by collapse of a bipartite entangled 
state, so that any probe from outside is perfectly isolated 
from the state-generation "machinery" (see Supplemen- 
tary Material for an extended discussion). Thus, in a 
manner akin to teleportation, we replace all real chan- 
nels with virtual channels. This allows us to physically 
(and "topologically" ) separate all detectors and settings 
within the private space from external probing, while also 
acting as a Hilbert space filter [3] against any side chan- 
nel. 

Within its own private space, each party (Alice or 
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Bob) has a bipartite state p which entangles two systems: 
{A, A'} for Alice, and {B, B'} for Bob. Systems {A, B} 
are kept within the private spaces, while systems {A', B'} 
are sent to an untrusted third party (UTP), whose task 
is to perform a quantum measurement and communicate 
the corresponding result. This untrusted LOCC then al- 
lows the creation of correlations between the private sys- 
tems {A, B} that Alice and Bob can exploit to generate 
a secret-key. In its simplest form an ideal side-channel 
free QKD scheme reduces to an entanglement swapping 
setup 15(, with the dual teleportation channel acting as 
an ideal Hilbert space filter. What is unique about our 
protocol is the ability to completely protect private space 
settings and detectors from probing side-channel attacks. 

In the worst case scenario, the UTP must be identified 
with Eve herself, whose aim is to eavesdrop the key, or 
even prevent Alice and Bob from generating the key (i.e., 
a denial of service). In the most general case, Eve applies 
a quantum instrument T = to the incoming sys- 

tems {A',B'}. This is a quantum operation with both 
classical and quantum outputs. For each classical out- 
come I, there is a corresponding completely positive (CP) 
map Ti applied to the systems {A',B'} [16(. This means 
that the global input state paa' ® Pbb' is transformed 
into the conditional output state 

PabeH) = ~ 777 {Ia® Ib ® Ti) {pa A' ®> Pbb' ) , (1) 

where E represents an output quantum system in the 
hands of Eve, while I a <8> Ib is the identity channel act- 
ing on the private systems {A, B}. Cleary each outcome I 
will be found with some probability p{l), depending both 
on Ti and the input state. As a consequence the classical 
output of T can be simply represented by the stochas- 
tic variable L = {l,p(l)}. The quantum output of T is 
represented by the system E which is correlated with the 
private systems {A,B} via the conditional state pabe\l 
specified by Eq. ([T]). E is the system that Eve will use 
for eavesdropping. For instance, most generally Eve can 
store all the output systems E (generated in many in- 
dependent rounds of the protocol) into a big quantum 
memory. Then, she can detect the whole memory using 
an optimal quantum measurement (corresponding to a 
collective attack). 

According to the agreed protocol, the UTP must send 
a classical communication (CC) to both Alice and Bob 
in order to "activate" the correlations. Here, Eve has 
another weapon in her hands, i.e., tampering with the 
classical outcomes. In order to decrease the correlations 
between the honest parties, Eve may process the output 
stochastic variable L via a classical channel 

p(l'\l):L^L', (2) 

and then communicate the fake variable L' — {l',p(l')} 



to Alice and Bob, where 

p(0 = 5>g',o, p(i',i)= P (i'\i)p(i). (3) 
i 

This process projects the private systems {A, B} onto 
the conditional state 



Pab\l> — Trg (pabe\l>) , 



(4) 



where 
Pabe{1') = 



^J2p( v > OpWO =52p(i\i')pabe(1). 

(5) 

Notice that, if V is completely unrelated to L, then 
Eve realizes a denial of service, being the communica- 
tion of the fake variable equivalent to tracing over sys- 
tems {A',B'}. In other words, for p(l',l) = p(l')p(l), we 
have pab\v = PA® Pb, where pa = Tr^' (paa>) and 
PB = Tr_B< (pbb>)- 

Secret-key rate: General analysis 

After M rounds of the protocol, Alice and Bob will 
share M copies (pab\l')® M ■ Note that, in general, Al- 
ice and Bob do not know anything about the physical 
process within the UTP, i.e., they do not know the cou- 
ple {T, L —> L'}. For this reason, what they actually 
get are M copies of an unknown state p AB plus classi- 
cal information L' . However, by measuring a suitable 
number M' of these copies, they are able to deduce the 
explicit form of the conditional state pab\L' for the re- 
maining N = M — M' copies (here M, M' and N are 
large numbers). Then, by applying local measurements, 
Alice on her private systems and Bob on his, they are 
able to extract two correlated classical variables, X and 
Y. Finally, from these variables, they can derive a shared 
secret key via the classical techniques of error correction 
(EC) and privacy amplification (PA). These procedures 
can be implemented using one-way classical communica- 
tions between these two parties. 

Let us bound the secret-key rate of the protocol. For 
simplicity we omit here the conditioning on L', so that 
Eq. (0| simply becomes pab = Trg (pabe)- It is un- 
derstood that the final result must be averaged over 
L' . Independently from its generation, the (generally) 
mixed state pab can be purified in a pure state &ABe — 
|$) {^\abb by introducing a suitable system "e" to be as- 
signed to Eve (this is generally larger than the E system 
considered before). After this purification, the scenario 
is the one depicted in Fig. [2] Here, for every bipartition 
of the systems, {AB,e}, {Ae,B}, or {Be, A}, the cor- 
responding reduced states have the same von Neumann 
entropy. In particular, we have S(pab) = S(p e ). 

Now suppose that Alice performs a POVM A4a = 
{A(x)} on her system A with classical outcome x. This 
measurement projects Q ABe onto the conditional state 

L Tv A \A(x)$ ABe A(x)A , (6) 



§Be{x) 



p(x) 
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FIG. 2: Purified scenario. 



P(X) = TlABe A[x)$AB e A( X ) 1 



(7) 



Thus Alice encodes the stochastic variable X = {x,p(x)} 
in the nonlocal ensemble £se = {^Be(x),p(x)}. Given 
the conditional state $ Be \x of Eq. ©, Bob and Eve can 
only access their local states, respectively given by 



Thus, on his side, Bob has the ensemble £ B = 
{p B (x),p(x)}, whose measurement estimates Alice's vari- 
able X. Assuming that Bob has a quantum memory, 
he can collect all the private systems B associated to 
the N rounds of the protocol. Then, asymptotically for 
N — >• oo, Bob can reach the Holevo bound [17] 



I{X : B) = S( PB ) 



p(x)S[p B (x)}. 



(9) 



At the same time, Eve's information is bounded by 

I(X : e) = S(p e ) - ^p(i)%(i)]. (10) 

X 

Assuming one-way CCs from Alice to Bob (for imple- 
menting EC and PA), we can write the secret- key rate as 
a difference of Holevo informations II a. i.e., 



R = I(X : B) - I(X : e) 



(11) 



If we now assume that Alice's POVM is rank one, 
then the conditional state <$> B e\x is pure and, therefore, 
Pb\x arL d p e \x have the same entropy, i.e., S[p B (x)] — 
S[p e (x)]. As a consequence, we can write 

R = S(p B ) - S( Pe ) = S(p B ) - S(pab) = I(A)B), (12) 

where I(A)B) is the coherent information between Alice 
and Bob. Thus the secret-key rate is lower-bounded by 
the entanglement-distillation rate. 

Secret-key rate: Detailed analysis 

Here we make a more detailed analysis which is more 
closely connected to the scenario of Fig. [T] In fact, the 
rate R of Eq. (|12p comes from the general configuration 



of Fig. [2] which is independent from the actual process 
generating the final state of Alice and Bob. If we explic- 
itly consider the peculiarities of the scheme of Fig. Q] then 
we could achieve a larger rate R* > R. This new rate can 
be achieved if Alice and Bob have some knowledge of the 
classical unreliability of the UTP, i.e., of the amount of 
information which is "absorbed" by the classical channel 
L — > V . Thus, if Eve tries to tamper with the overall 
security by employing fake CCs, then Alice and Bob can 
potentially extract a secret-key with rate larger than the 
entanglement-distillation rate. 

In this section, we take the different conditionings (by 
L and L') explicitly into account. After the CC of V = 
{l',p(l')}, Alice and Bob possess the conditional state 
PAb(1') of Eq. (j4j. Let us assume that Alice performs 
a POVM A4a = {A(x}} on her system A with classical 
outcome x. This generates the doubly-conditional state 
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Pb(xJ') = —-j-Tva A(x) P ab(1')A(x^ , (13) 

P(X\l ) L J 



p B {x) =Tr e [$ Be {x)], p e (x)=Tr B [$ Be {x)}. (8) where 



p(x\l') = Tr A B A(x)pab(1')A(x? 



(14) 



Averaging over the CCs, the output of Alice's measure- 
ment is the unconditional variable X = {x,p(x)}, where 



p(x) = ^2p(x\l')p(l') - Tr^ \A(x) PA A(x) 



(15) 



This is the secret variable to be estimated by Bob. In his 
private system B, Bob has the ensemble 



{p(x,l'),p B (x,l')}, 



(16) 



where p(x,V) — p(x\l')p(l'). Clearly, this ensemble de- 
pends on both X and V . Exploiting his knowledge of 
L', Bob applies a conditional measurement A4b\l' to his 
system B which estimates the value x encoded by Al- 
ice. Asymptotically (i.e., for N — > oo), using a quantum 
memory and averaging over the CCs (i.e., over L'), Bob 
can reach the conditional Holevo information 19] 



I(X :B\L') = ^2p(l')I(X:B\L' = l') 



(17) 



For Eve we have to consider the different conditioning 
given by L. Thus, the conditional state that Eve shares 
with Alice is 



Pae\l — Trs (pabe\l) 



(18) 



which becomes Pe\xl after Alice's projection. Explicitly 
this state is given by 



Pe(x,1) 



1 



p(x\l) 



A{x) P ae{1)A{x)^ 



(19) 
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where 

p(x\l) = Ttab [a{x) PA e(1)A{x)^ . (20) 

Thus, Eve has the ensemble 

£ E = {p(x,l),p E (x,l)}, (21) 

where p(x,l) = p(x\l)p(l). Asymptotically, Eve can 
eavesdrop I(X : E\L) bits per copy 20]. 

As a result, we can write the secret- key rate 

R* = I(X : B\L') — I(X : E\L). (22) 

This quantity can be rewritten as R* = R' + A, where 

R' = I(X : B\L') - I(X : E\L'), (23) 

and A = I(X : E\L') - I(X : E\L), quantifies the in- 
formation which is "absorbed" by the classical channel 
L L'. We call A the "classical cheating" by Eve. 
Clearly, we have A = for V = L. R' is the "apparent 
rate" , which refers to the apparent scenario where Alice, 
Bob and Eve are all subject to the same conditioning L'. 
In other words, R' is computed assuming the total state 
Pabe\l' i which is then projected onto Pbe\xu by Alice's 
measurement (see Fig. 
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Bob 



Private Space Private Space 

FIG. 3: Conditional state Pabe\l> projected onto Pbe\xl' ■ 

We can now easily prove that the secret-key rate is 
larger than the entanglement-distillation rate. We have 
the following result (see Supplementary Material for the 
proof) . 

Theorem. Suppose that Eve measures the incoming 
systems but cheats on the results using a classical channel 
L — > L' . Then, Alice and Bob's secret-key rate satisfies 



R* > I(A)B\L') + A, 



(24) 



where I(A)B\L') is the coherent information conditioned 
to Eve's fake variable L' , and A is the classical cheating. 

Our analysis leaves an intriguing open question. It 
would be wonderful to provide an explicit example where 
simultaneously A > and I(A)B\V) = 0, so that 
R* > 0. This would imply secret-key distillation with- 
out entanglement distillation. More generally, we cannot 
exclude the possibility that R* > I(A)B\L') by using 
POVMs which are not rank one. 



Conclusion 

We have shown that virtual channels may replace real 
channels in the QKD setting so as to remove any pos- 
sibility of side-channel attacks. In its simplest setting, 
our QKD protocol corresponds to an entanglement swap- 
ping experiment, where the dual teleportation channels 
act as ideal Hilbert space filters to wipe out side-channel 
attacks. The authenticated users' private spaces are de- 
signed so that any incoming quantum signal is topologi- 
cally excluded from access to detectors, detector settings 
or state-generation settings, thus side-channel probing 
attacks of the private spaces are eliminated. Finally, an 
external untrusted party performs a suitable LOCC (such 
as a Bell-state measurement) to create correlations nec- 
essary for shared key generation. 
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Note added 

We noticed the manuscript of Lo et al. |21j submitted 



to the arxiv just four days before our submission. At a 
2009 Dagstuhl seminar, SLB told the first author of that 
manuscript the detailed ingredients needed to turn en- 
tanglement swapping into a completely side-channel free 
QKD scheme. Despite this, we stress that there are sev- 
eral important differences between our work and that of 
Lo et al. 2l| which itself is based on previous results by 
Biham et al. and Inamori jlEj ]. 

1) Generality: Our work considers a QKD setup in- 
volving general quantum systems (e.g., they could be 
qubit-systems or bosonic modes). In the case of Lo et 
al. [2l|], the setup is strictly related to the use of decoy 
states. 

2) Untrusted party: Our work does not impose any 
restriction for the action of the middle eavesdropper, who 
implements a general quantum instrument with classical 
information communicated to Alice and Bob. Despite 
this general scenario, we can easily prove that the secret- 
key rate is lowerbounded by the coherent information. In 
Lo et al. [2l| , a very strong conjecture is made explicitly 
for the middle eavesdropper, who is always assumed to 
perform a Bell measurement. Thus, in practice, the third 
party cannot be regarded as an eavesdropper (Eve) but 
more correctly as a trusted party (Charlie). The real 
action of Eve is therefore restricted to the noise present 
in the quantum channels between the honest users and 
Charlie. 

3) Trojan-horses: Our work excludes the possibility 
that the eavesdropper is able to get information by send- 
ing trojan-horses into Alice's and Bob's apparata. This is 
the result of a Hilbert space filtering which derives from 
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a suitable use of the entanglement in Alice's and Bob's 
private spaces (this aspect is further discussed in our Sup- 
plementary Material). By contrast, in the paper Lo et at 
[2l| , state preparation can be easily eavesdropped upon, 
being directly inline with the output ports of Alice's and 
Bob's private spaces. 

Finally, in Lo et al. [2l[ there is a disconnect between 
the security proof (which relies on Alice and Bob cre- 
ating entanglement) and the implementation. We note 
however that the authors cite Ref. [22| as a possible way 
to avoid quantum information processing but do not se- 
riously discuss this as part of their proof in any detail. 

Supplementary Material 

IN DEFENSE OF PRIVATE SPACES 

In quantum cryptography unconditional security 
proofs are derived under the assumption that Alice's and 
Bob's apparata (private spaces) are completely inacces- 
sible by an eavesdropper who, therefore, can only at- 
tack the signal systems which are transmitted through 
the quantum communication channel connecting the two 
parties. Under this assumption, secret-key rates and se- 
curity thresholds are derived in both discrete and contin- 
uous variable quantum key distribution. 

One potential loophole in the security proofs is related 
to how a theoretical protocol is actually implemented ex- 
perimentally. Any redundant information encoded in ex- 
tra degrees of freedom or extra Hilbert space dimensions 
outside the theoretical prescription can allow for so-called 
side-channel attacks. By their nature, such attacks may 
be of classical or quantum degrees of freedom and are in- 
sidious because even quantifying their threat appears to 
involve understanding what have been called unknown 
unknowns about the vulnerability of the experimental 
set-up. 

Progress has been made on eliminating side-channel at- 
tacks in the quantum communication channels between 
private spaces, but this leaves open potential attacks on 
the private spaces through their quantum communication 
ports. Let us therefore take a step back and consider 
private spaces in more detail: What goes on in Alice's 
and Bob's private spaces involves a significant amount of 
classical information processing; at the very least the key 
itself will be generated and stored as classical informa- 
tion. Now with virtually any technology we have today 
classical information is stored, processed and transmitted 
in a highly redundant fashion (many electrons are used 
to charge a capacitor to represent a bit value, or many 
electrons must pass through the base junction of a tran- 
sistor to effect a logical switching operation, tapping on 
a keyboard produces sound waves and electromagnetic 



signals in addition to the 'legitimate' electrical signals in 
the wires, etc). In principle any of this redundant infor- 
mation may leak out of the private space through a "par- 
asite" channel. An eavesdropper might therefore ignore 
the quantum communication channel and directly attack 
Alice's and Bob's apparata by exploiting the presence of 
parasite channels: this is also a "side-channel attack" . 

The implicit assumption in quantum cryptography is 
that we could always improve technology in such a way 
that Alice's and Bob's private spaces are not affected by 
the presence of parasite channels, so that the legitimate 
participants do indeed have access to absolutely private 
spaces. (For instance, Alice and Bob could simulate the 
classical information processing on a quantum computer. 
A hacked operating system on such a machine could be 
tested for by randomly running subroutines that confirm 
that coherence is preserved and that no information is 
copied out to where it can be stored or transmitted by a 
trojan program — see also Ref. [13] ■) 

However, even if you rely on a perfect isolation tech- 
nology, there remains a potential chink in this armor, 
which is the quantum communication port used either to 
transmit a quantum state out of your private space or to 
accept a quantum state for detection into it. 

If you open a communication port for quantum states 
to enter or leave you must explicitly deal with side chan- 
nels which can be probing these links to your private 
space. Eve can potentially send trojan systems through 
Alice's and Bob's communication ports and detect their 
reflection to infer both state preparation and measure- 
ment settings. As an example, in the standard BB84 
protocol, Eve can irradiate Alice's apparatus by using 
optical modes at slightly different frequencies. Then, 
from reflection, Eve can infer the polarization chosen in 
each round of the protocol. Thanks to this information, 
Eve can measure each signal system in the correct basis. 
Another example regards the so-called plug-and-play sys- 
tems, where trojan systems can be reflected together with 
signal systems, as discussed in Ref. [loj . 

Our paper shows how to overcome the problem of the 
open quantum communication ports, therefore making 
feasible the notion of absolutely private spaces. Note 
that this problem is not addressed by current device- 
independent quantum cryptography, where such attacks 
on the private space ports are simply considered illegiti- 
mate as they violate the strong private space assumption. 
The key point of our scheme is that detectors are no 
longer "in line" with the quantum communication port 
of the private space. For this reason, it is not possible 
for an external party to probe the port and obtain detec- 
tor settings or readouts from the processing of parasite 
systems. In order to explain this key feature in detail, 
we analyze the problem of the quantum communication 
ports by comparing standard protocols with our scheme. 

In Fig.m we depict a general prepare-and- measure pro- 
tocol, where Alice's variable X is encoded in a quantum 
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state p(X) by modulation. Bob's variable Y is the out- 
put of a quantum measurement. Here, Eve can attack 
the quantum communication ports by using two trojan 
systems e and /. By means of e, Eve can retrieve in- 
formation about the state preparation X — > p(X). By 
means of /, she can retrieve information about the mea- 
surement apparatus of Bob and, therefore, about Y . 



Aire 



Bcb 



Eve 



PrivateSpace 



PrivateSpace 



processing the outcome of the measurement, and clas- 
sically communicating the processed data back to Alice 
and Bob. As a result the two private systems, A and 
B, become correlated, so that Alice and Bob can extract 
two correlated classical variables, X and Y, by applying 
suitable measurements. In particular, if Alice and Bob 
can access quantum memories, then they can extract a 
secret key at a rate which is at least equal to the coher- 
ent information between A and B. Eve can attempt a 
side-channel attack against the two ports by sending two 
trojan systems e and /. In this case, however, the appa- 
rata which detect the two private systems A and B are 
inaccessible to Eve. By exploiting reflections from the 
ports, Eve can only retrieve information regarding the 
reduced states pA' and pb> of the two public systems A' 
and B' . However, these reduced states contain no useful 
information about the private system A or B or Alice's 
or Bob's detector settings or outputs. 



FIG. 4: Port attack in a prepare and measure protocol. 

In Fig. [5j we depict a general entanglement-based pro- 
tocol, where an untrusted party (Eve) distributes entan- 
glement between two parties. This is done by distributing 
an entangled state p = Pab, where system A is sent to 
Alice and system B is sent to Bob. Alice and Bob can 
perform entanglement distillation and measure the out- 
put distilled systems to derive two correlated classical 
variables, X and Y, respectively. In this scenario, Eve 
can decide not to attack the source p but directly the two 
quantum communication ports of Alice and Bob. Eve can 
probe these ports by using two trojan systems e and /, 
which can retrieve information about Alice's and Bob's 
distilling and detecting apparata. As a result, Eve can 
infer information about X and Y. 



Aire 
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FIG. 5: Port attack in an entanglement-based protocol. 

In Fig. HI we depict our protocol where an untrusted 
party (Eve) represents an entanglement swapper between 
Alice and Bob. This is generally done by measuring two 
public systems, A' and B' , received from Alice and Bob, 




PrivateSpace PrivateSpace 

FIG. 6: Port attack in our scheme. 

To understand better how the full isolation of the pri- 
vate systems might be achieved, we may consider the 
procedure depicted in Fig. [7J It is explained for Alice's 
private space, but steps are identical for Bob. 

In the first step (a) , Alice's port is closed and she pre- 
pares an entangled state p = paa< where system A is 
directed towards a quantum memory (QM), while sys- 
tem A' is directed towards a delay line (DL). In step (b), 
once system A is stored in the memory and while system 
A' is trapped in the delay line, a shutter is used to fully 
separate the delay line from the rest of Alice's appara- 
tus. Note that a virtual channel between A and A' has 
been created. In step (c), Alice's quantum communica- 
tion port is opened and system A' is transmitted to Eve. 
During this stage, trojan systems may enter the port but 
no detector is in line with the port. In step (d), the port 
is closed with the private system A kept in the mem- 
ory. The previous steps (a)-(d) are repeated many times, 
so that Alice collects many private systems in her quan- 
tum memory. We therefore reach step (e) of the figure. 
Finally, once Alice has received all the classical commu- 
nications, she applies a collective quantum measurement 
on her quantum memory to retrieve the classical variable 
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FIG. 7: Possible procedure for the full isolation of the private 
systems. See text for explanations. 



X. This measurement can include or be anticipated by 
an entanglement distillation. 



NOTATION AND BASIC FORMULAS 

In part of the derivation we adopt the enlarged Hilbert 
space (EHS) representation, where stochastic classical 
variables are embedded in quantum systems. Consider a 
stochastic variable X = {x,p(x)} which is encoded into 
an ensemble of states of some quantum system A, i.e., 



This ensemble may be equivalently represented by the 
classical-quantum (CQ) state 



p(x) \x) (x| x <g) pa{x), 



(26) 



where the stochastic variable X is embedded into the 
dummy quantum system X, by using an orthonormal 
basis {\x)} in the Hilbert space Hx of X. We denote 
by pa{x) the state of a system A which is conditioned 
by the value x of a stochastic variable X. The notation 
Pa\x refers to the conditional state pa{x) where x is not 
specified. Clearly, we have 



PA = ^2p{x) Pa (x). 



(27) 



Given a quantum system A in a state pa, its von Neu- 
mann entropy S(pa) is also denoted by H(A). Given a 
quantum system X, embedding the stochastic variable 
X, its quantum entropy -ff(X) is just the Shannon en- 
tropy H(X). Given two quantum systems, A and B, we 
denote by I(A : B) their quantum mutual information. 
This is defined by 



I {A : B) = H(B) - H(B\A), 



(28) 



where H(B\A) = H(AB)—H(A) is the conditional quan- 
tum entropy. Note that H(B\A) can be negative and it 
is related to the coherent information by the relation 



I(A)B) = —H(B\A). 



(29) 



For A = X, the quantum mutual information I {A : X), 
which is computed over the CQ-state of Eq. (f2"6")l , corre- 
sponds to the Holevo information I {A : X), computed 
over the ensemble of Eq. (|25p . For A — X and B = Y, 
embedding two stochastic variables X and Y, J(X : Y) 
is just the classical mutual information I(X : Y). For 
three quantum systems A, B, and C, we can consider 
the conditional quantum mutual information 

I(A : B\C) = H(AC)+H(BC)-H(ABC)-H(C), (30) 

which is > as a consequence of the strong subadditivity 
of the von Neumann entropy. For a classically correlated 
system C — X, we have a probabilistic average over mu- 
tual informations, i.e., 

I (A : B\X) = I (A : B\X) = ^p{x) I(A : B\X = x). 



(31) 



List of other useful elements: 



• Given a tripartite quantum system ABC, we can 
use the "chain rule" 



£ A = {p(x),p A (x)}. 



(25) 



I(A : BC) = I {A : B) + I(A : C\B). 



(32) 
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Invariance of the Holevo information under addi- 
tion of classical channels, i.e., for a classical chan- 
nel 



we have 



p(y\x) :X^Y, 



I (A : X) = I (A : XY). 



(33) 
(34) 



• Given a Markov chain X — > Y — > Z, the classi- 
cal mutual information decreases under condition- 
ing [H, i.e., 



I{X : Y\Z) < I(X : Y). 



(35) 



Notice that, for three general stochastic variables, 
we have I{X : Y\Z) | I(X : Y), so that the so- 
called "interaction information" 

I(X :Y : Z) = I(X :Y\Z)-I{X :Y), (36) 

can be positive, negative or zero. 

• Data processing inequality. For a Markov chain 
X — s- Y — s- Z, we have 



H(X) > I(X : Y) > I{X : Z). 



PROOF OF THE THEOREM 



(37) 



Let us purify the mixed state Pabe\l' into the pure 
state ® ABE e\l> = l $ ) (®\abee\L' b y introducing an an- 
cillary system E which is assumed to be in Eve's hands 
(so that Eve's global system consists of EE). This sce- 
nario is depicted in Fig. HI 



Alice 



L' 



Bob 



X _ 













Private Space 
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FIG. 8: 

onto $, 



Purification. Conditional state <£> 



,j projected 



Thus, for the total state Pabe\l'i we have 

Pabe(1') = Tr E [$ ABEE (l')] . (38) 

For the conditional state Pbe\xl', generated by the mea- 
surement, we can write 

Pbe{x,1') 



p(x\V) 
1 



-Tr A 
-Tr 



A(x)p ABE (l')A(x)l 
A{x)^ ABEE (l')A(x)^ 



Tr^ [* BE e(x,1')] 



(39) 



where 



p(x\V 



A(x)<S> ABEE (l')A( x y 



(40) 

represents the conditional state & BB e\xl' which is gener- 
ated by the measurement in the purified scenario. Clearly 
if we discard X, we get the reduced state 



BEE\V 



BEE\XU 



X 



ABEE\L' 



(41) 



Because of Eq. (|39|) . the conditional state & BB e\xl' can 
be used to compute R' via 



R' = I(X:B\L') p -I{X:E\L') p 
= I(X : B\L%-I(X : E\L%, 



(42) 



where p = p BE \xu and $ = ® bee \xl' (the computation 
is exactly the same up to a trace over E). In the EHS 



representation, the conditional state $ 



, becomes 



BEE\XL 

(43) 

Thus, we can also set 

R' = I(X:B\L% -I(X:E\L')v, (44) 

where ^ = ^xl/bbb- F rom the chain rule we have 

/(X : EE\L% = /(X : E\L% + /(X : E\EL% 

= I(X:E\L%+ % (45) 

where 7 = /(X : E\EL')^ > is the information contri- 
bution due to the purification (25[. In other words, the 
(conditional) Holevo information can only increase with 
the purification, i.e., 

I(X : EE\U) = I(X : E\L') + 7 > I(X : E\L'). (46) 

As a consequence, we have R' = R" + 7, where 

R" = I(X :B\L%-I(X :EE\L%. (47) 

In terms of conditional entropies, we have 

R" =H(B\L')$ - H(B\XL% 

- [H(EE\L') 9 - H(EE\XL%}. (48) 

Here H{EE\L') is computed over $ = & bee \xl' dis- 
carding X and B, i.e., over the reduced state 



®EE\L> = Tr^B 



ABEE\L' 



(49) 



Now since &abee\l' ^ s P ure , we have H(EE\L') = 
H(AB\L'), where H(AB\L') can be computed over 
Pab\v = Tt ee1^abee\l'}- Clearly, also H(B\L') 9 can 
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be computed over Pab\u- As a consequence we can rec- 
ognize in Eq. (|48|) the conditional coherent information 

I{A)B\L') = H(B\L') - H(AB\L'), 

associated with Alice and Bob's conditional state Pab\l'- 
Thus, we can set 

R" = 1(A) B\L') + [H(EE\XL') 9 - H(B\XL%]. (50) 

Here, we can assume that Alice's measurement is a rank 
one POVM. As a result, $ = <&bee\xu ^ s a ^ so a P ure 
state, and we can set H(EE\XL')^ = H(B\XL')$>, so 
that R" = I(A)B\L'). Finally, we can write 

R* = R" + 7 + A 

= I(A)B\L') +7 + A 
>I(A)B\L')+A, (51) 

where we have used 7 > from its definition. 
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